On the Robustness of (Photonic) Quantum Key Distribution with Classical Alice 
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Quantum Key Distribution (QKD) with classical Bob has recently been suggested and proven robust. Follow- 
ing this work, QKD with classical Alice was also suggested and proven robust. The above protocols are ideal 
in the sense that they make use of qubits. However, in the past, well-known QKD protocols that were proven 
robust and even proven unconditionally secure, when qubits are used, were found to be totally insecure when 
photons are used. This is due to sensitivity to photon losses (e.g., Bennett's two-state protocol) or sensitivity to 
losses combined with multi-photon states (e.g., the photon-number- splitting attack on the weak-pulse Bennett- 
Brassard protocol, BB84). Here we prove that QKD with classical Alice is still robust when photon losses and 
even multi-photon states are taken into account. 



Introduction — A two-way Quantum Key Distribution (QKD) 
protocol in which one of the parties (Bob) uses only classi- 
cal operations was recently introduced [1]. A very interesting 
extension in which the originator always sends the same state 
\+) = (|o> + \i))/V2 (see [8]), while in [1] all four states, |o>, |i>, 
\+) and |-) - (|o> - \i))/\/2., are sent, is suggested by Zou et 
al. [2]. In both those "semi-quantum" key distribution (SQKD) 
protocols the qubits go from the originator Alice to (classical) 
Bob and back to Alice. Bob either reflects a received qubit with- 
out touching its state (CTRL), or measures it in the standard 
(classical) basis and sends back his result as |o) or |i> (SIFT). 

Following [3] we prefer to call the originator in [2] Bob (and 
not Alice), and to call the classical party Alice: usually in quan- 
tum cryptography, Alice is the sender of some non-trivial data, 
e.g., she is the one choosing the quantum states. The originator 
in [2] does not have that special role, as the state |-i-> is always 
sent (and we could even ask Eve to generate it). The classical 
person is then the one actually choosing a basis and knowing 
which of the three state (|o), or |-i->) is sent back to the orig- 
inator, thus it is natural to name that classical person Alice. We 
call the originator Bob, and we call the SQKD protocol of Zou 
et al "QKD with classical Alice". Note that QKD with classi- 
cal Alice was also suggested, independently of [2], by Lu and 
Cai [4]. As proven in [3], QKD with Classical Alice (the proto- 
col suggested in [2]) is completely robust against eavesdropping. 

Here we use Fock-space representation to extend the QKD 
with classical Alice protocol to the important case in which Al- 
ice and Bob use photons and not merely ideal qubits. We first 
extend the proof of robustness to include photon loss, and subse- 
quently, also multi-photon states. Such extensions are far from 
trivial; on the contrary, often, robustness is actually lost when 
trying to deal with photons rather than qubits. 

As a first example, in the two-state scheme (known as the Ben- 
nett' 92 — B92 scheme), when qubits are assumed to be carried 
by photons, photon losses cause a severe problem: if Eve can 
replace a lossy channel by a lossless one, she might be able 
to get full information without causing errors at all, using an 
"un-ambiguous state discrimination" attack. See appendix, sect 
A. As a second example, in the four-state scheme (known as 
the Bennett-Brassard' 84 — BB84 scheme), when qubits are as- 
sumed to be carried by photons, photon losses combined with 
multi-photon pulses cause a severe problem: if Eve can replace 
a lossy channel by a lossless one, and can measure photon num- 



bers (via a non-demolition measurement), she might be able to 
get full information without causing errors at all, using a "photon 
number splitting" attack. See appendix, sect. B. 

The Fock space notations — The Fock space notations that 
serve as an extension of a qubit are as follows: in the standard (z) 
basis, the Fock basis vector |0, 1) stands for a single photon in a 
qubit-state |o> and the Fock basis vector |1,0) stands for a single 
photon in a qubit-state |i>. Naturally, the Hadamard (x) basis 
qubit-states are given by the superposition of those Fock states 
so that [|0, 1) + |l,0>]/v^2 stand for a single photon in a qubit- 
state |+> - (|o> + |i»/y2. The general state of this photonic qubit 
can then be written as a |0, 1> -i- ;6 11,0>, with \ a\^ + - 1. 

This photonic qubit lies in a much larger space called Fock 
space. The first natural extension is |0, 0> that describes the lack 
of photons (the vacuum state), a case of great practical impor- 
tance, as it enables dealing properly with photon loss. The next 
extension of a very high practical importance is that |2,0> de- 
scribes two (indistinguishable) photons in the same qubit-state 
|i>, 1 0,2) describes two (indistinguishable) photons in the same 
qubit-state |o), and |1, 1) describes two (in this case, distinguish- 
able) photons, one in the qubit-state |o>, and one in the qubit- 
state |i>. This case (a six dimensional space, describing two or 
less photons) was found very important in the photon number 
splitting attack [5], as prior to that analysis, experimentalists as- 
sumed that the only impact of high loss rate is on the bit-rate and 
not on security. 

In general, if a single photon can be found in two orthogonal 
states (these are called "modes" when discussing photons), then 
Iwij^o) represents (respectively Uo) indistinguishable pho- 
tons in a qubit-state |i) (resp. |o)). The numbers rio and «i are 
then called the occupation numbers of the two modes. From now 
on, the notations I o> = |0,l>,|i>= |1,0>, K> = (|0,1>-H |l,0»/\/2 
and |-> = (|0,1> - |l,0>)/v^ will be used interchangeably. Sim- 
ilarly, since the single photon can also be found in |0, l)jc = |-i-> 
and |l,0)x = |-> (namely, the x basis), then \n-,n+) represents 
n_ (resp. n+) indistinguishable photons in qubit-state |-> (resp. 

More generally, one may consider more than two modes. For 
instance, the four modes | n^i,, n^^a, nob< ^oa) are the generaliza- 
tion of qu-quadrit (say a photon in one of two arms a or b, and 
one of two orthogonal polarizations, denoted o or i). 

The classical Alice protocol, dealing with losses — The origi- 
nator Bob sends Alice qubits in the state |-i-> and keeps in a quan- 



turn memory all qubits he received back from her [9]. When N 
qubits have been sent and received, (classical) Alice announces 
publicly which qubits she reflected (without disturbing them); 
the originator Bob then checks that he received |+> and not |-> 
on those positions (CTRL). For the (SIFT) qubits measured by 
Alice in the standard (classical) {|o>;|i>} basis, a sample is cho- 
sen to be checked for errors (TEST). The remaining SIFT bits 
serve for obtaining a final, secure key, via error correction and 
privacy amplification, as in any conventional QKD protocol. 

Defining the (limited) "photonic QKD with classical Alice" 
protocol. The qubits are embedded in the 3 -dimensional, 2- 
mode Fock space containing the qubit states |1,0> and |0, 1> and 
the vacuum state |0,0>. The Hilbert space describing AliceH-Bob 
states is (for now) the subspace 

J^AB = Span(|0,l>, 1 1,0), 10, 0>) c ^ (1) 

of the more general 2-mode Fock space (J^). 

In this photonic protocol. Bob is always sending the |+> state. 
Losses or vacuum states are modeled by the state |0, 0>, and thus, 
we must define Alice's and Bob's operations when such states 
occur Losses normally come from the interaction with the en- 
vironment; as usual, the (worst case) analysis gives Eve total 
control on the environment. Classical Alice can either SIFT or 
CTRL [2, 3]. In the SIFT mode, Alice's "measurement" is de- 
scribed (WLG) with the adjunction of a probe, extending .^^ab 
to J^A ® -^AB, a unitary transformation and a measurement of 
her probe in the standard basis. Such a description is meant to 
match the general framework of measurements in quantum in- 
formation, and may not correspond to the actual physical mea- 
surement performed by Alice. Using the Fock-space notations, 
it is assumed that Alice adds a two-mode probe in a state |0,0>a 
to get the state \^,^) a\+) ab- Alice then performs one of the fol- 
lowing two operations (with | «i , no>yiB in the z, i.e. the standard 
basis): 

f/CTRL|0,0>Al«i,«o>AB = |0, 0> a I «i, «o> (2) 

then she measures her probe in the standard classical basis and 
sends AliceH-Bob's state to Bob; in the case described by Eq. (2) 
(CTRL) she needs not measure, still the probe and its measure- 
ment are added there only to make the description uniform; 
Bob's original state (|+>ab) is reflected back to him, undis- 
turbed. In the case described by Eq. (3) (SIFT), Alice gets the 
outcome n^no, and the state \ni,no)AB is sent to Bob. Note 
that, in order to analyze the enlarged space of the protocol, we 
had to add the definition of Alice's operation on the added state, 
\0,0)ab- Our choice of LfsiFT|0,0>A|0,0>AB = |0,0>aIO,0>ab is 
the most natural way of extending Alice's SIFT operation, and 
it thus becomes part of our definition of the protocol "Photonic- 
QKD with classical Alice". 

Naturally, when Bob measures in the classical (z) basis, he 
also measures the same three states as Alice, \ni,no) with 
rio + < 1. However, the space ,J^ab (1) is also spanned by 
the orthonormal basis {|+>, |->, |0,0>}, thus Bob (who is not 
limited to being classical) can perform a measurement in this 
generalized x basis of the qutrit. 

Eve's attack on the (photonic) classical Alice protocol. Eve 
performs her attack in both directions; from Bob to Ahce, Eve 



applies U ; from Alice to Bob, Eve applies V. We may assume, 
WLG, that Eve is using a fixed probe space for her attacks 
in both directions. The attack from Bob to Alice produces a state 
of the form |£oi> |0, Dab + l^io) |1,0>ab + |£oo> |0,0>ab (namely 
Xni.no I no+«iSi I > I "i > "o > yiB £ ^ » Mab), where the 
\Eij) are non normalized (and potentially non-orthogonal) vec- 
tors in JifE- With Alice's probe attached we obtain 

^= Z \En,nJ\0,0)A\n^,no)AB , (4) 

111, no I no + iiSl 

in Jf^E '^A ® J^AB- In particular, if Eve does nothing then 
|iJio> - l-Boi) = \Eoo} = \E) and the state in AliceH-Eve's hands, 
prior to Alice's operation, is \E) |0,0>a I+>ab ■ 

Going back to the general case, if Alice applies Uctrl, then 
the state in Even- Alice hands (after Alice's CTRL action) is still 
|^>. However, if Alice applies L/sift, the resulting global state 
in Even- Alice's hands is 

\En^no)\ni,no)A\ni,no)AB 

and after Alice has measured her probe, she gets some output 
({00,01,10}), and some (non normalized) residual state that she 
sends back to Bob. 

Once Alice has performed her measurements and sent \ i,j)AB 
back to Bob via Eve, the resulting global state (fully in Eve's 
hands) is 



Measurement 


State 


00 


IVoo>= |£00>|0,0>AB 


01 


IVoi>= l£oi>IO,l>AB 


10 


IVlO>= l£lO>|l,0>AB 


CTRL 


W) = IVoo>+ IVoi>+ IVio> 



where are not normalized, and where the |ijjj> were cho- 
sen by Eve. Eve now applies a unitary V on ,^e ® ■^ab and then 
sends Bob his part of the resulting state. 

A proof of robustness. For Eve to stay undetectable, if Alice 
measured |0, 0> (namely, the outcome 00) in the SIFT mode, then 
Bob should have a probability zero of measuring 01 or 10, thus, a 
probability zero of receiving the states |0,1> or |1,0>. Similarly 
if Alice measured 10 (01), then Bob should have a probability 
zero of measuring 01 (10); he could however get a loss, 00. The 
resulting (non normalized) Even-Bob residual states thus take the 
form |i/'oQ> - V\if/oo) - I-Hqo) |0,0>ab when a loss arrives, and 
otherwise, 

|1/'01> = ^|1/'01>= |f01>|0,l>AB+ |Hoi>|0,0>AB 

|l/'io> = ^|l/'lO>= lflO>|l,0>AB+ |Hio>|0,0>AB . (5) 

Finally, V being linear, the (normalized) residual state if Alice 
applied CTRL is ly/') = V\yf)^ ly/'^^) + ly/'^^) + \yf[f^). 

In order to check CTRL bits. Bob measures \y/') in the x 
basis and checks if he gets a photon in the illicit state |->. 
To avoid that. Eve must make sure that the overlap between 
Eve-Bob's state and Bob's state |-) is zero. This re- 
sults with another limitation on Eve's attack: the norm of 
ab(-|(I^'oi>|0,1>ab) + ab<-|(I^'io>|1,0>ab) must be 0; namely, 
\Foi){- I 0,1>+ IFioX- I 1,0) = (|Foi>- |Fio»/v^ = 0, i.e. 
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\Foi) - \Fw} - \F} for some (non normalized) state \F) e Me- 
The final global states (5) if Alice measured 01 and 10 are thus 
(respectively) 

|F>|0,1>AB+ |Hoi>|0,0>^B 

|F>|1,0>AB+ |Hio>|0,0>^B , (6) 

and if Bob does not get a loss. Eve's final state is |F> whether 
Bob measures |0,1> i.e., the bit o, or |1,0>, i.e., the bit i. Eve's 
final probe is, thus, independent of all of Alice's and Bob's mea- 
surements, and is unentangled with their state. 

Eve can thus get no information on the bits Alice and Bob 
agree upon without being detectable. That reasoning can be 
done inductively bitwise to get robustness with N qubits. 

The classical Alice protocol, dealing with losses and multi- 
photon pulses — In practice, there are not just losses: when 
qubits are encoded using photon pulses, there may be more than 
one photon per pulse, giving the eavesdropper more tools to get 
information on the SIFT bits. We now allow the Hilbert space to 
contain all photonic states of the above-mentioned two modes. 
Namely, we consider all states |ni,no> with + «i > 0. As 
before, we must specify Alice's and Bob's operations on those 
states. 

Defining the (fidl) "photonic QKD with classical Alice" pro- 
tocol. If Alice and Bob can distinguish one from more than one 
photon, extending the results of the earlier section is rather triv- 
ial; in brief. Eve becomes limited to the same space as in the 
previous section, or else she will be noticed. 

The interesting extension is when Alice and Bob are lim- 
ited, and cannot tell a single photon pulse from a multi-photon 
pulse. It is conventional to say that they have "detectors" and 
not "counters". This, of course, is in contrast to Eve who has 
counters, and who can do whatever physics allows. 

We now assume a specific realization of the Fock states, to 
make the limitation on the measurements more clear We assume 
that the two classical states, |o) and |i>, describe two pulses on 
the same arm, such that the photon can either be in one pulse, 
in the other, or in a superposition such as the (non-classical) 
state |+>. Measurements are applied onto the two modes sep- 
arately, using two detectors, thus a state |1,1> as well as any 
state 1^1, «o) with both > I and > I can be identified as 
an error That will be enough to guarantee robustness. 

As before, we assume that Alice's CTRL operation is given 
by Eq. (2), yet now, with rio and «i being any non-negative 
integers. Let - I if > 1, else - 0; similarly, fio - I 
if rio > 1, else ho - 0. To model properly the use of a de- 
tector that clicks when noticing one or more photons, it is as- 
sumed that in the SIFT mode Alice still attaches a probe in the 
|0,0>yi state. Now she applies the following transform, [/sift, 
on.^® where ^ = Span(|0,0>yi, |0,l>yi, |l,0>yi, |1,1)a) 
and JfAB is AliceH-Bob's 2-mode photonic space: 

[/siFT|0,0>y5|ni,no>AB= \fii,ho)A\ni,no)AB ■ (7) 

Alice then measures her probe in the 10,0)^, |0, l>yi, |l,0>yi and 
|1,1>A basis; she cannot distinguish \ni,0) with > 2 from 
|1,0), yet she can distinguish |1,1> from |1,0>. When Hi > 1 or 
«o 5 1 she sees - I or ho - I (respectively); if both «i > 1 
and rio^l then she measures her probe in a state 1 1, 1)^; this is 
telling her that the state she received is illicit. 



We need to carefully define Alice's operation on the states she 
receives, as the robustness analysis depends on the residual state 
after Alice's "measurement", which Alice sends back to Bob; 
we now consider two legitimate options for defining that state. 
In one, which we could call "the conventional measure-resend 
approach", we assume that depending on which detector clicks, 
the state |0, 1> or the state |1,0) (or the state |0,0) if no detector 
clicked) is then sent back to Bob. However, now Eve could pre- 
pare the state (|0,2> + |2,0»/v^ and send it to Alice; in CTRL 
mode the same state will return to Eve, while in SIFT mode only 
a single photon (or none) will be given back to Eve. Thus Eve 
(who can measure the number of photons) will easily decode Al- 
ice's operation, and will be able to measure (and resend) in case 
of SIFT, or send the state (|0,1> + |l,0»/v^backto Bob in case 
of CTRL. 

We thus stick here to a different way of defining the resid- 
ual state after Alice's action: we simply assume that the state 
1^1, Wo) is sent back to Bob in both Eq. (7) and Eq. (2). In- 
cidently, that attack above is an example of a simple tagging 
attack. In a separate work (in preparation) we present a modi- 
fied photonic classical Alice protocol that prevents many other 
tagging attacks, including the one suggested in [6] as an attack 
against QKD with classical Bob ([1]); see also [7]. 

Eve's attack on the (photonic) classical Alice protocol. Eve 
performs her attack in both directions using a fixed probe space 
,y^E\ from Bob to Alice, Eve applies U; from Alice to Bob, Eve 
applies V. The attack from Bob to Alice produces a state of the 
form Y. IFjiiOo) «o>AB e ^ «> M'ab where M'ab = ^- With 
Alice's probe attached we obtain 

l'I'> = LlF„,„e>IO.O>Al«i,«o> , (8) 

in «> «> . In particular, if Eve does nothing then 
\Enj^nJ - \E) independently of and rio, and the state in Al- 
iceH-Eve's hands, prior to Alice's operation, is IF) |0,0)yi \+)ab ■ 
Going back to the general case, if Alice applies Uctrl, then 
the state in Even- Alice hands (after Alice's CTRL action) is still 
|¥>. However, if Alice applies L/sift, the resulting global state 
in Eve-F Alice's hands is 

\En^nJ\hi,ho)A\ni,no)AB ; 

after Alice has measured her probe she gets some output 
({00,01, 10, 11}), and some complicated (non normalized) resid- 
ual state (sent then back to Bob) that we soon analyze. 

Eve now attacks that residual state on the way back from Alice 
to Bob using the unitary V acting on both her probe and the state 
sent by Alice to Bob (see below). Eve then sends Bob his part 
of the resulting state. 

A proof of robustness. Alice's measuring abilities put a con- 
straint on the state \W) for Eve not to be detectable: Alice's prob- 
ability of measuring \11)a according to that model must be zero, 
or else Eve can be noticed. It is thus required that \E,ij^no) - 
for rij^xHo ^ 0. Therefore, Eve-F Alice's state when Alice applies 
[/sift must take the form 

E IFo„„>|0,1>aIO,Wo>+ E \En,o)\l,0)A\n^,0) 

+ |Foo>|00>a|0,0> . 
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Once Alice has performed her measurements and sent | /, ]')ab 
back to Bob via Eve, the resulting global state (fully in Eve's 
hands) is 



Measurement 


Residual state (in Eve's hands) 


00 


Wqo)^ |£oo>|0,0>ab 


01 


IV01> = Z„o>l |£ono>|0'"o>AB 


10 


IVlO> = Zni>l |£«iO>I«i,0)ab 


CTRL 


\V) = IVoo> + IVoi> + W\a) 



where \^rij) are not normalized, and where the \Eij) were cho- 
sen by Eve. Eve now applies a unitary V on J^«>,i^B and then 
sends Bob his part of the resulting state. 

Recall that Eve attacks now using the unitary V acting on 
the residual state in ® ^^'ab, and then she sends Bob his 
part of the resulting state. Bob's measuring abilities put more 
constraints on the state |i//> for Eve not to be detectable. In 
case the SIFT bit is used for TEST, Bob's probability of mea- 
suring 11 must be zero, no matter what Alice measured. Fur- 
thermore, for Eve to stay undetectable, if Alice measured |0,0> 
(namely, the outcome 00) in the SIFT mode, then Bob should 
have a probability zero of measuring 01 or 10, thus, a probabil- 
ity zero of receiving the states |1,0) or |0, 1>. Similarly if Alice 
measured 10 (01), then Bob should have a probability zero of 
measuring 01 (10); he could however get a loss, 00. The result- 
ing (non normalized) Even-Bob residual states thus take the form 
- ^IVoo) - \Hoo) \0,0) AB when a loss arrives, and 

IV'oi> = ^IV'oi>= L \Fono)\0,no)AB+\Hoi)\0,0)AB 

\V'w)^V\Vw)^ E \Pn,o)\n^,0)AB+\Hio}\0,0)AB (9) 

otherwise; V being linear, the (normalized) residual state if Alice 
applied CTRL is ly/') = V\yf) = lyr'^^) + ly/'^^) + ly/'^^). 

In order to check CTRL bits. Bob measures \y/') in the x ba- 
sis and checks if he gets at least one photon in any illicit state 
such as |-); more precisely, he measures ly/') in the Fock basis 
\n-,n+)x corresponding to the x basis of single photon states, 
and aborts if he gets «_ > (if the detector for |-> photons 
clicks). To avoid that. Eve must make sure that the overlap be- 
tween Eve-Bob's state \yr') and each state of the form |«_, n+)x 



with n_ > is zero. This results with another limitation on Eve's 
attack. We clarify in the appendix, sect. C the expansion of 
the x-basis Fock states \n-,n+)x using the z-basis Fock states 
«o) and prove the following: 

Lemma — If Bob has a zero probability of measuring any state 
\n-,n+)x with ri- > 0, then |_Foi> = |fio>, and |Fo„> = |F„o> = 
for n>\. 

Letting |F> - |Foi> - \F\a), Even-Bob's final residual states 
given by (9), if Alice measured 01 and 10, are reduced to, strik- 
ingly, exactly the same states given (for the simpler case) by (6) 
(respectively). As before, if Bob measures in the z basis and 
gets a SIFT bit. Eve's final state \F) is the same whether Bob 
measured or 1 and she thus can get no information on either 
Alice's measurement or Bob's result: the protocol is completely 
robust. 

Conclusions — From the above analysis we conclude that Bob 
must in the end, on CTRL bits, get either a loss or exactly the 
state |+>, which he thinks he sent. This does not mean that Eve's 
attack is trivial (namely, she must send |+> to Alice, and do 
nothing on the way back). As the simplest non-trivial attack. 
Eve could prepare the state |£>[|0,2) + |2,0)]/\/2, and apply the 
transformation y[|£'>|0,2>] = \E)\0,V);V[\E)\2,0)] = |£'>|1,0> 
on the way back, without being noticed, but also, without gain- 
ing any information, as we proved here. 

Discussion — We presented here a proof of robustness for two 
protocols in which Alice is classical, one that takes photon losses 
into account, and a more relevant one that also deals with multi- 
photon pulses. The optimistic conclusion of robustness here is, 
unfortunately, not the end of the story, and further research is 
required: First, we dealt in this paper only with the generaliza- 
tion of the qubits of "QKD with classical Alice" into two modes, 
and we left the case of more modes open. Second, here we let 
almighty Eve prepare the state; unfortunately. Bob is not as ca- 
pable as Eve, and in reality, he is the one preparing the state, not 
Eve; Bob, who tries to generate the state |0, 1);^, may be unable 
to avoid (sometimes) sending the state \0,2)x which will often 
cause all reading in the computation basis, and destroy the full 
robustness. Still, there is evidence (yet, no proof) that the clas- 
sical Alice protocol is more robust than BB84. See appendix, 
sect. D where we also propose three ways to improve the partial 
robustness (or the security) of our protocol, and of BB84. 
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Appendix 



Section A: On the Robustness of the Ben92 Scheme 

Let Alice generate a string of qubits by choosing randomly 
(with equal probability) one of the two distinct and non orthog- 
onal states \Uo) and \u\) and sending it to Bob via a quantum 
channel. Bob measures the incoming qubits at random either 
in the orthonormal basis { | Mq), I Wo)i or in the orthonormal basis 
\ u'^)]. If he measures \u'^), he can be sure he was sent 
I Mo) because he can't have been sent | Ui). Similarly, if he mea- 
sures IMq), he is certain he was sent |Mi>. Note that if Alice 
sent I Mo) and Bob chose (with a probability half) to measure in 
the {|Mo), IMq)} basis, he will surely get |Mo), hence an inconclu- 
sive result. With that procedure, the probability of a conclusive 
(un-ambiguous) measurement [10] is 



Pcondusive= (1/2)[1-KMo | Mi>| 



(Al) 



The procedure is robust against eavesdropping because if he 
was sent |Mo), and he measured in the {|Mo), Im^)} basis, and 
he did not get |Mo>, then he knows the incoming state has been 
tampered with; similarly, if he was sent |Mi) and measured |m^>. 
For a security analysis one must allow some small probability of 
noise, hence of errors and/or losses. 

If high loss-rate cannot be avoided, which is a typical case 
in QKD, the Ben92 scheme as described here becomes totally 
non-robust; Bennett [11] was, of course, aware of this, hence 
designed his protocol differently. In case high losses must be 
tolerated, such that (lossrate) > 1 - ^conclusive - (1/2)[1 + Kmo | 
Mi)|^], an eavesdropper can simply catch all the qubits coming 
out of Alice's hands, measure according to Bob's procedure, and 
send Bob (via a lossless channel) the proper state only when the 
measurement was conclusive, else send nothing. This attack was 
called "conclusive attack" in the past, but later on the term "un- 
ambiguous state discrimination" became more popular then the 
term "conclusive". 

It is interesting to note (although not vital for the current pa- 
per, hence we skip the details here) that Eve can even do bet- 
ter than Bob, since she is more powerful, using generalized 



measurements (POVMs) as described in [12-14]; see also [15- 
17]. Thus it can be shown that even if the lossrate is below 
(1/2)[1 + Kmo I Mi)|^], yet as long as it is above Kmq | Mi>|, the 
protocol is still totally non-robust. 



Section B: On the Robustness of the BB84 Scheme 

This section should be read after the paragraphs concerning 
the Fock notations for pulses with indistinguishable photons in 
the main article. 

The photon number splitting attack was introduced in [5]. 
Here is a short description in the notations and the framework 
of the current article. 



1. Nondemohtion-splitting of two photon pulses 

We assume that Eve has an initial probe |0,0)^ in the Fock 
space. Photonic states |Mi,Mo> sent from Alice to Bob are at- 
tacked with Lf|0,0>^|Mi,no) = |0,0)^|ni,no) if «o + «i 7^2 and 



[/|0,0>^|0,2> = |0,1>^|0,1> 
U\Q,Q)^\2,Q) = |1,0)'^|1,0> 



U\Q,Qf\\,\) = — [|1,0>'^|0,1>+ |0,1>^|1,0>]. 
v2 



(Bl) 
(B2) 

(B3) 



The first two equations mean that if two photons in the |o) state, 
i.e. |0,2>, or in the |i> state, i.e. |2,0>, are sent. Eve keeps one. 
The third equation is required for the same to hold when the 
two photons are in the |+> state, i.e. 10,2);^, or in the |-> state, 
i.e. |2,0>;c- Thus, U describes a nondemolition-splitting of two 
photons if those are prepared in the standard or Hadamard bases. 

Let us now demonstrate the effect of U in the x-basis. For one 
photon pulses 

|0,l):, = |+) = ^[|o) + |i)] = ^[|0,l)+ 11,0)] (B4) 
11,0);. = |-) = ^[|o>-|i>] = ^[|0,l)- 11,0)] . (B5) 

^/2 n/2 

Toexpress 12,0);. as a superposition of the states |0,2>, |1,1> and 
|2, 0>, we need to discuss how to deal with indistinguishable par- 
ticles; more details can be found in Sect C. The state |2,0> cor- 
responds to two indistinguishable photons in the state |-) which 
is a pulse containing a state similar to | — >, but with no impor- 
tance to the order of the two single-photon states. Because the 
photons are indistinguishable, we can write 

I — ) = ^ [|o) - li)] ® [|o) - |i)] = i [loo) - loi) - |io> + 111)] 

with indistinguishable particles within each term. The state 
|oo) means two identical photons in the |o) state, and corre- 
sponds to |0,2). Similarly the state |ii) corresponds to two 
identical photons in the |i) state, i.e. to |2,0). Remains, af- 
ter normalizing, the (already symmetric) state and that 
state corresponds to one photon in state |o) and one photon in 
state |i) permuted in all possible ways, and then normahzed, 
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which corresponds to state |1,1>. Since | — > for two photons 
equals 2[|oo> - v^i2i>^i£2 + |ii>] and, similarly, | ++> is equal 

to i[|oo> + v^l^i^ii;^ + |ii>], we conclude that 



|0,2);,= i[|0,2> + y2|l,l>+ |2,0>] 
|2,0>;, = i[|0,2>-V2|l,l>+ |2,0>| 



(B6) 
(B7) 



These two identities are obtained with an alternative method 
(raising operators) in Sect C 2. From the definition of U above, 
we can now derive the equalities 



f/|0,0)^|0,2>;,= |0,1>^|0,1>;, 
LT 10,0)'^ 12,0);,= 1 1,0)^ 1 1,0);,. 
Here is the derivation of (B9): 

|0,2>- v^|l,l>+ |2,0>' 



[/|0,0>^|2,0>;t = t/|0,0>'^ 



10,1)^10,1) 
2 

11,0)*^ 10,1) 
2 

11,0)^^11,0) 



10,1)^^11,0) 



\0,lf- 11,0)^^^ 10,1)- 11,0) 



V2 

11,0)^,11,0)^. 



V2 



(B8) 
(B9) 

by (B7) 

by (Bl) 

by (B3) 
by (B2) 

by (B5) 



The derivation of (B8) is identical, with '+' everywhere instead 
of Equations (Bl) and (B2) together with (B8) and (B9) 
mean that Eve's attack is unnoticed both in the z and the x basis 
on two identical photons: Bob receives a single photon, "undis- 
turbed", and Eve gets full information when the basis is pub- 
lished. 



2. The PNS attack on the BB84 protocol 

In the BB84 protocol [18], photons go from Alice to Bob. For 
each choice of basis b (z or x) and each bit chosen randomly, it 
is assumed that Alice sends |0,0) with probability po, |0, l)i, or 
|l,0)j, with probability pi, and |0,2)j, or |2,0)i, with probability 
P2, where |ni,no)z = |«i,?io). We may assume that po + Pi + 
P2 = 1. We also assume p2 « pi, and a loss rate close to 100%, 
i.e. F-1- (lossrate) « 1. 

In N trials. Bob expects Fp\N single photon pulses from the 
expected p\N single photon pulses coming from Alice. From 
the expected P2N two-photon pulses coming from Alice, the 
chances that the two photons will be lost in the channel are 
(lossrate)^ - {\-F)^. The chances that at least one photon 
reaches Bob are thus 1 - (1 - F)^ and so Bob expects a total of 

X^[Fpi + {\-[\-Ff]p2]N 

non empty pulses. In the PNS attack Eve makes sure Bob gets 
the number of pulses he is expecting. If 

P2N>X^ [Fpi + [1 - (1 - Ff] P2] N 



I.e. 

P2 ^ F 
Pi (1-F)2 

then the number of two photon pulses emitted by Alice, namely 
P2N, is larger than the number of pulses Bob is expecting. With 
the non lossy channel. Eve can simply select X two photon 
pulses from those pulses sent by Alice (she is able to count 
photons), and attack them with the two photon pulse attack (Eq. 
B1-B9), keep one photon and send Bob the other. She thus sends 
X single photon pulses to Bob; there is no way for Bob to check 
for eavesdropping; he receives exactly the number of pulses he 
is expecting, and as they should have been generated in the first 
place in the ideal qubit protocol. The BB84 protocol is thus com- 
pletely non robust as soon as P2lp\ >FI{\-F)^ which, to a first 
order approximation [19], holds when the rate of two-photon 
pulses amongst the non empty pulses is larger than F. 



Section C: Changing Basis in the Fock Space and the Proof of the 

Lemma 



The quantum states of the photons manipulated by Alice and 
Bob can be described as states in the Fock space J? whose 
Hilbert basis is given by the Fock states |«i,«o) where is 
the number of indistinguishable photons in the |i) state and Uo 
the number of indistinguishable photons in the |o) state. Al- 
ice and Bob however also use the Hadamard basis |+), |-) and 
we also need to use the Fock states n+)x as a basis for 
where \n-,n+)x corresponds to ri- indistinguishable photons in 
the |-) state and n+ indistinguishable photons in the |+) state. 
The states |«o,ii) and \n-,n+)x belong to the same space of 
states. How are they related? A pulse \n-,n+)x with «_ in- 
distinguishable photons in the |-) state and n+ in the |+) state 
can always be expressed as a superposition of pulses |ni,«o) 
with photons in the |i) state and Uq photons in the |o) state 
such that n+ + ri- - rio + n2_. In this paper, we need to know the 
coefficients of that superposition when either n+ or n- is zero. 



1. The symmetric state method 

We already presented formulas for 10,2)^: and |2,0)j; in Sect 
B, namely Eq. (B6) and Eq (B7). The very same reasoning can 
be applied with three indistinguishable photons in the |-) state. 
Expanding |-)®^, which corresponds to three photons in the |-) 
state, thus 13,0)^^, gives 

|ooo) - lOOl) - lOlO) + loii) - llOO) + lioi) + liio) - |lll) 

and using the following normalized states as a representation for 
the Fock states 

all photons in the |o) state 



10,3) = 


looo) 




1 


11,2) = 




^" 






12, 1) = 






13,0) = 


liii) 



all photons in the |i) state 
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we obtain 

13,0);, = \ |0,3> - v^|l,2> + V3\2, 1> - |3,0>1 

Of course, |0,3>x gives the same expansion, but with + every- 
where. This reasoning generaHzes to \0,n)x and \n,0)x provided 
we accept that n-k photons in the |o> state and k photons in the 
|i> state corresponds to the equal superposition of all n qubit ba- 
sis states |7> that have k bits equal to i and thus n-k bits equal 
to 0, i.e. Hamming weight \j\ - k. Notice that the number of 
n-hit strings with Hamming weight k is (^) and the normalizing 

factor is thus ('^) 



i the symmetric state representation is 

/ \-l/2 



\k,n - k) 



je{o,ij" 
l;l=fc 



(CI) 



Using the well known (within the quantum information commu- 
nity [20, p 35]) formula 



(C2) 



where H is the Hadamard transform i.e. H|o> : 
|-), we deduce the general formula 



|+> and H|i) : 



1 



,k, 



1/2 



\k,n-k) 



(C3) 



as follows: 



1 



1 



^ I fc=0 \i\ = k 



\/2" /S) 



ykj 



1/2 



\k,n- k) 



by (C2) 

group by number of ones 
by (CI) 



Similarly, \n,0)x corresponds to |->®" = (H|i»^" = H^"|i> for 
/ = |i...i> (n "i" bits); then = (-l)l-'l = (-1)*^ in (C2) 

and 



1 



i«.o>, = — j^E(-i) 

v2 jt=o 



ykj 



1/2 



\k,n- k). 



(C4) 



Since it is also true that H|+> - |o> and H|-> - formulas 
(C3) and (C4) hold if we move the index x from the left to the 
right to express \0,n) and \n,0) in terms of the \k,n-k)x- 



2. The raising operator method 

That method should be more congenial to anyone having 
some knowledge of quantum field theory or quantum optics. It 
can be shown that to the standard basis |o> and |i> corresponds 
a set of two commuting operators that we will denote al and a| 
such that 



t "i t "o 



|0,0) = \/ riilnol \ni,no) 



(C5) 



Similarly, to the basis |+>, |-> corresponds the set of commuting 
operators a| and al, and they are such that 



fll" a\'^^ \0,0) - \/ n-\n+\ \n-,n+)x 



(C6) 



Moreover, relating the operators a\ and al_ to a\ and a\ is quite 
straightforward. From |+> - -^Wo) + |i>] and |-> = -^Ilo) - |i>] 
we are allowed to deduce 



a[ - 



V2 



1 



a '_ — —= I - flH 
v2 ' 



(C7) 



All calculations are then direct without any intermediate sym- 
metric state representation. Here they are for \2,0)x (using the 

fact that a\_ is the identity and 0! = 1): 



|2,0>;, = ^fll^0,0> 



1 1 



1 1 r t2 



al- a{f \0,0} 



by (C6) 
by (C7) 



^ 2ala{ + a[ |0,0> 



v^' 

^^[v^|0,2>-2v^|l,l> + v^|2,0>] by(C5) 



:i[|0,2>-v^|l,l>+ |2,0>| 



which coincides with (B7). Newton's binomial expansion may 
be applied because the operators commute. To get (C3) for 
\0,n)x and (C4) for \n,0)x one needs only follow the same rea- 
soning as above with n instead of 2; 



\n,0)x^^ai"\0,0) 



1 


a\-a\ 


n 

10, o> 


sfn\ 


\ V2 


1 


1 ^ 


n\ 


V^" 


^\tQin-k)\k\ 


1 


1 " 


n\ 




V^^o(n-fc)!A;! 


1 


n 

E(-i)' 


, .1/2 
n 

k " 



\k,n- k). 



3. Two distinguished states 

The amplitudes in Eq (C3) and Eq (C4) are exactly the same, 
but to a phase factor, and in both cases the distribution of the 
number of identical photons in state |i) if we repeat the mea- 
surement in the standard basis is the binomial B[n,p - 1/2), 
for which f[k;n,p) - - with p = 1/2. However, 

there is a negative sign on the amplitude for odd values of k in 
Eq (C4). That means that those amplitudes cancel when \0,n)x 
and \n,0)x are added. That interference gives two distinguished 
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states: 



(„) \0,n)^+ \n,0)^ 



V2 



k=0 
k=0 (mod 2) 



(„, |0,n);,- |n,0>. 



V2 



k=0 
fc=l (mod 2) 



on-l 



\k,n-k) 



1/2 



\k,n-k) 



where "A; = (mod 2)" means "fc even", the sum being over all 
even values of k, and "A; = 1 (mod 2)" means "fc odd", the sum 
being over all odd values of k. The states |e'"'>j; and |o'"'>j; are 
clearly orthogonal. Moreover, if we measure state |e'"'>x (resp. 
state |o'"'>x) in the standard basis, the probability of getting k 
identical photons in state |i) for k even (resp. for k odd) is 
now 2 f{k; n, 1/2), twice that given by the binomial distribution, 
and it is otherwise: we never ever get and odd number of |i> 
photons with state le'"^)^: and never ever get an even number of 
|i> photons with state lo'"')^:. 

Similarly, if |e'"'> = (|0,n>+ |n,0>)/v^and |o'"'> = (|0,n>- 
|n,0))/V2 then 



fc=0 
fc=0 (mod 2) 



1/2 



on-l 



\k,n-k)^ (C8) 



*:=0 
k=l (mod 2) 



on-1 



1/2 



|fc,n-A;>;, (C9) 



4. The concluding lemma 

To prove the robustness of the photonic classical Alice with 
losses and multi photon pulses, we relied on the following result: 

Lemma — Given the bipartite state — \H)\0,0) + 

Lno>i l^'ono)|0'"o> + Z„^>i \Pn^o)\ni,0) inJ^E^^^, if there is 
a zero probability of measuring any basis states \ ri-, n+)x of ^ 
such that ri- > 0, then \Fqi) — \Fio), and |Fon) - \Fno) — for 
n>l. 

Proof. The overlap of n+)x with |0,0> is 0; so is its overlap 
of n+)x with any |?ii,0> or |0, tIq) for which rio ^ n+ + U- 
or rii ^ n+ + ri-. We thus need consider only cases where n = 
Ho - - n+ + fi- and thus the overlap of \n-,n-n-)x with the 
state |Fon> |0, n> + |Fno> \ n,Q)- A simple calculation shows that 



\Fan)\Q,n)+\Fno)\n,Q) 



is equal to 



\Fon)+\FnQ) 



V2 



\FQn) - \F„o) 



V2 



(CIO) 



(o'^' I \,\)x - 1, the probability of measuring |l,l>x is zero iff 
[|fo2> - |F20>]//2 = 0, i.e. if |Fo2> = |f'20>- On the other hand 
(o'2) I 2,Q)x = and (e*^) | 2,0)^ = 1/v^ and the probability of 
measuring |2,0>j; is zero iff [|Fo2> + l-F20>]/2 - i.e. if |fo2> - 
-\F2q)- For both probabilities to be zero, it is necessary and 
sufficient that IF02) - 1^20) - 0. 

For n > 2, any odd k is such that (e'"^ | k,n- k)x-0, and for 
the vector coefficient of lo'"^) in (CIO) to be 0, |F„o) = \Fon} 
is required; similarly, for any fc > even, <o'"' I k,n-k)x^O, 
which impUes |Fon> - - \Fno), and thus \Fon) - \F„o) -0. □ 



Section D: Extended Discussion 

1. PNS attack on QKD with classical Alice when Bob may send 
two photon pulses 

As in Appendix B, when two-photon pulses are sometimes 
sent, we can no longer get a proof of full robustness. Still, we 
provide here some evidence that QKD with classical Alice is 
potentially more robust than BB84. Let us examine an extreme 
case. In BB84 (see Sect. B), if the originator (Alice) sends 
(without being aware of it) only two-photon pulses. Eve gets 
full information without being noticed, and nothing in the tests 
performed by Alice and Bob can reveal the deviation from the 
original protocol. In QKD with classical Alice, it is not so. If 
the originator (Bob) sends (without being aware of it) only two- 
photon pulses. Eve gets full information via the nondemolition 
splitting as in section B 1, yet now, Alice and Bob can easily 
notice the deviation from the ideal protocol: Alice will notice 
that on half of the SIFT bits both her detectors click. 

Let us also consider the case in which Bob sometimes gen- 
erates two-photon pulses, and the loss rate is very large, much 
beyond that one considered in section B, so that p2 » piF. We 
have seen that the BB84 protocol is then totally non-robust (Eve 
gets full information). Is it also true for QKD with classical Al- 
ice? If Eve blocks all single-photon pulses, again, half the non- 
empty SIFT bits will cause both detectors to click, and Eve will 
be noticed. To keep Alice having less than half such illegitimate 
detections. Eve can either let some single-photon pulses go to 
Alice, or Eve can send, in addition to 1 0, 2> ;c , states such as 1 2, 0> 
and |0,2>, their superpositions and their mixtures. States such as 
|2,0> and |0,2), or their mixtures, will cause errors in case Alice 
applies CTRL and Bob measures in the x basis. States such as 
[|2,0> + |0,2)]/v^, which we already met more than once here, 
will not cause errors in case Alice use CTRL conditioned on Eve 
applying the proper transformation V such that the state received 
by Bob is "+". However, such states are as robust as the state 
"+" of the untouched protocol, thus we may conclude (although 
we do not attempt to provide a full proof here) that the further 
Eve's attack is from causing half the SIFT bits to have double- 
detections, the more robust the protocol is. 



For n- I the probability of measuring |l,0>;c must be 0. Since 
(6?'!' I 1,0) X = (because 1 is odd) and (o'^) | 1,0);^ = 1 the prob- 
ability of measuring |l,0>jcis zero iff [ |_Foi) - |-Fio>]/V2 = i.e. 
|foi> = |fio>. 

For n-2 Eves must make sure the probability of measuring 
both |l,l>x and |2,0>;c must be 0. From (e'^) | ^ j)^ ^ q and 



2. Three ways of strengthening our QKD with classical Alice 
protocol 

We have seen in the main paper a simple, yet non-trivial 
attack: Eve could prepare the state |£>[|0,2> + |2,0>]//2, 
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send it to Alice, and apply the transformation y[|£'>|0,2>] = 
|£'>|0,l>;y[|£>|2,0>] = \E}\1,0} on the way back, without be- 
ing noticed, but also, without gaining any information, as we 
proved. Although Eve gains nothing from that attack, it is po- 
tentially disturbing. It means that Eve can totally deviate from 
the protocol without being noticed, and such a situation is not 
desired; it could have a strong impact on security when noise is 
allowed, and/or when Bob sometimes sends 10,2);^. 

We now present three ways of improving the protocol and po- 
tentially making it more secure (although a security analysis is 
beyond the scope of this paper); two of these methods prevents 
Eve from applying the above-mentioned attack. 

• Technology improvement: Replacing the detectors by 
counters that can (at least) distinguish a single photon 
from more than one photon. Obviously, Alice's ability to 
distinguish in SIFT mode a single photon from more than 
one photon prevents the above-mentioned attack. Also, it 
allows Alice to obtain meaningful statistics in case Bob 
sometimes sends two photons in the state \0,2)x, as the 
case of AUce measuring |1,1> can now be compared to 
the cases of measuring |2,0) and |0,2>. 

• Algorithmic improvement: by adding more tests into the 
protocol we can improve its potential security. So far we 
only discussed the case in which Alice applies SIFT and 
Bob measures in the z basis, and the case in which Al- 
ice applies CTRL and Bob measures in the x basis. How- 
ever, Alice and Bob can easily add two tests: Alice applies 
SIFT and Bob measures in the x basis, and Alice applies 
CTRL and Bob measures in the z basis; such a modifica- 
tion could happen anyhow in real life QKD, because Bob 



is not currently using a quantum memory; see end note 10 
in the main paper. While these tests do not help against the 
above-mentioned attack they do help having a better esti- 
mate of the states Bob generates: in case Bob sometimes 
generates |0,2>jf, this can be noticed as a measurement of 
(1,1) in both Bob's detectors when Alice employs CTRL 
and Bob measures in the z basis, and similarly (a detec- 
tion in both Bob's detectors) when Alice employs SIFT 
yet does not get (1,1), and Bob measures in the x basis. 

• Protocol modification: Let us allow quantum Bob to add 
more states: We noted that in "QKD with classical Bob" 
the quantum originator sent not only |+> but also other 
states such as |o>. Then the quantum originator and the 
classical party performed their TEST on qubits going from 
the quantum originator to the classical party. In contrast, 
in QKD with classical Alice, one only defined the TEST 
on qubits going back from classical Alice to (quantum) 
Bob. We could allow our quantum Bob send also the 
states |o> and |i> and let him and classical Alice use those 
added qubits only for an additional TEST, comparing bits 
when Bob generated these states and Alice applied SIFT. 
Such a modification trivially prevents Eve from applying 
the above-mentioned attack, since the protocol involves 
(on the way to Alice) one of three non-orthogonal states 
in each transmission, thus if Eve always sends the above- 
mentioned state, she will be easily detected. 
Each of those modifications could only strengthen the proto- 
col. Potentially they can also be combined together. The use 
of counters, and the use of tests in different bases could also be 
helpful for improving BB84. 
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